From 407864fc9a8679d677cf89f61bf26ddc762c1097 Mon Sep 17 00:00:00 2001
From: Mark Peace <mark.peace@neotechnology.com>
Date: Thu, 9 Jun 2016 15:22:55 +0100
Subject: [PATCH] Escape property keys when creating table view

---
 app/scripts/directives/neoTable.coffee |  4 ++--
 test/spec/directives/neoTable.coffee   | 33 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/app/scripts/directives/neoTable.coffee b/app/scripts/directives/neoTable.coffee
index 4379f7f6fe5..a2c14c7133b 100644
--- a/app/scripts/directives/neoTable.coffee
+++ b/app/scripts/directives/neoTable.coffee
@@ -35,7 +35,7 @@ angular.module('neo4jApp.directives')
         json2html = (obj) ->
           return emptyMarker() unless Object.keys(obj).length
           html  = "<table class='json-object'><tbody>"
-          html += "<tr><th>#{k}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
+          html += "<tr><th>#{Utils.escapeHTML(k)}</th><td>#{cell2html(v)}</td></tr>" for own k, v of obj
           html += "</tbody></table>"
           html
 
@@ -59,7 +59,7 @@ angular.module('neo4jApp.directives')
           html  = "<table class='table data'>"
           html += "<thead><tr>"
           for col in cols
-            html += "<th>#{col}</th>"
+            html += "<th>#{Utils.escapeHTML(col)}</th>"
           html += "</tr></thead>"
           html += "<tbody>"
           if result.displayedSize
diff --git a/test/spec/directives/neoTable.coffee b/test/spec/directives/neoTable.coffee
index 4b7cec6e8dc..c3d797125bf 100644
--- a/test/spec/directives/neoTable.coffee
+++ b/test/spec/directives/neoTable.coffee
@@ -33,3 +33,36 @@ describe 'Directive: neoTable', () ->
       columns: -> ['col']
     scope.$apply()
     expect(element.html()).toContain('&lt;script&gt;')
+
+  it 'should escape HTML characters in column name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[]]
+      displayedSize: 1
+      columns: -> ['<p>']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property name', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'<p>':'value'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')
+
+  it 'should escape HTML characters in property value', inject ($rootScope, $compile) ->
+    scope = $rootScope.$new()
+    element = angular.element '<neo-table table-data="val"></neo-table>'
+    element = $compile(element)(scope)
+    scope.val =
+      rows: -> [[{'key':'<p>'}]]
+      displayedSize: 1
+      columns: -> ['col']
+    scope.$apply()
+    expect(element.html()).toContain('&lt;p&gt;')